Malware Attacks Drain Russian ATMs

Criminals have infected at least 50 ATMs in Eastern Europe, including Russia, with malware that enables them to drain ATMs of their cash via "jackpotting" attacks, netting attackers millions of dollars (see ATM Malware: Hackers' New Focus).

The international police organization Interpol has issued a global alert warning that criminals may soon use the malware against ATMs located not only in Eastern Europe, but around the world, including the United States.

The malware - variously referred to as PadPin and Tyupkin by anti-virus vendors - first surfaced in March 2014, according to the malware analysis database #Totalhash.

But Kaspersky Lab says the malware was recently installed on more than 50 machines across Eastern Europe, including Russia. "Based on submissions to VirusTotal, we believe that the malware has spread to several other countries, including the U.S., India and China," Kaspersky Lab researchers say in a blog post.

Meanwhile, Malaysia's The Star reports that over a three-day period at the end of September, attackers stole approximately 3 million Malaysian Ringgit - about $1 million (U.S.) - from 18 ATMs in that country. But police have yet to detail which malware attackers employed, meaning it's not clear if it was PadPin.

Using malware to "cash out" ATMs appears to be a new cybercrime tactic. "Past reports have been about malware which was used to capture card and PIN information from customers," Sean Sullivan, security advisor at anti-virus vendor F-Secure, tells Information Security Media Group. "This PadPin malware appears to be the first case of malware being used to drain cash directly from the ATM, without the need for customer data."

Financial organizations should expect more attacks of this nature because it lets criminals turn ATMs into their own personal "money machines," Troels Oerting, head of Europol's European Cybercrime Center, or EC3, tells ISMG. "It shows that the criminal underground is extremely agile and innovative in producing new types of malware," he says. "But they're also helped - to an extent - by the very, very low security of ATMs, which are still running old-fashioned Microsoft systems, and they take advantage of that, and the physical ability to approach them and make them spit out money."

Oerting says the campaign is "probably linked to Russian organized crime," and he expects repeat attacks. "I think we've just seen the tip of the iceberg in the case of these attacks against cash machines," he says, noting that the only way to truly block these types of exploits may be to embrace digital currency. "This could lead in the future ... to where cash will be something you see in museums."

ATM Malware Waits for Instructions

The PadPin malware literally allows an attacker to tell an ATM to dispense money - no credit or debit card required. An analysis published in May 2014 by Symantec says PadPin is a Trojan which, if installed, "enables an attacker to use the ATM PIN pad to submit commands to the Trojan," and can be set to automatically delete itself if the infection isn't successful. As that suggests, the malware can't be used to infect every type of ATM. To date, versions of the malware found in the wild have only been compatible with the Extension for Financial Services (XFS) DLL that runs in a 32-bit version of the Windows Embedded operating system, according to a blog post from F-Secure.

Likewise, Kaspersky Lab says the malware "affects [only] ATMs from a major ATM manufacturer," which it declined to name. But F-Secure says that, based on an analysis of the specific APIs used by the malware, it appears to correspond with a Programmer's Reference Manual published by ATM manufacturer NCR Corp., which contains instructions for programming NCR machines that use its NCR APTRA XFS self-service software for ATMs.

NCR didn't immediately respond to a request for comment on the report that its systems are targeted by the PadPin malware.

Kaspersky Lab says that when infecting an ATM with the malware, attackers register a unique access code with the Trojan running on that machine. That way, regular users - or other attackers - can't accidentally gain access to the Trojan's functionality. Kaspersky Lab also says the malware recovered from the infected Eastern European ATMs was set to work only on Sunday and Monday nights.

Once installed, the malware runs in the background, watching to see if a designated, preset numeric code gets entered on the PIN pad, after which the malware activates and lists the cash cassettes inside the ATM, as well as the number of bills each holds. The attacker - most likely a money mule - can select each cassette and instruct it to dispense up to 40 bills, Kaspersky says. Before the money gets dispensed, however, the mule must then enter a second code. And malware can be set to disable access to the local network, says Symantec, presumably to foil any related monitoring that might trigger an alarm.

Defensive Measures

To defend against ATM malware attacks, Kaspersky Lab's researchers recommend ATM operators focus, in part, on strengthening their physical security. "According to footage from security cameras at the location of the infected ATMs, the attackers were able to manipulate the device and install the malware via a bootable CD," they say. "The cyber-criminals behind Tyupkin infected only those ATMs that had no security alarm installed." Likewise, it recommends replacing any default locks issued by a manufacturer, because they're tied to default master keys that might work across a wide number of machines.

On a system level, Symantec recommends that ATMs be set to never auto-run executable files from network-attached or removable drives. Sullivan says ATM operators could also enable BIOS passwords and force users to manually enable a CD drive or USB port before they could be used.

Kaspersky Lab also recommends installing anti-virus software on ATMs, which might detect and block malware such as PadPin. But F-Secure's Sullivan says it's currently rare for anti-virus to be allowed to run on most such systems. "These types of computers are practically crippled compared to what we think of as a computer," he says. "They are expected to run in a nearly 'frozen' state." Anti-virus software, however, typically requires more dynamic interaction with a system, both to update signatures as well as scan and quarantine malware. "An extremely light AV client with cloud-based logic is what's needed - and we, among others, are working to develop such clients," he says.

But Mike Park, a security tester who specializes in ATM attacks at security firm Trustwave, says anti-virus software is not a practical solution for ATM operating systems.

"Most ATMs do a lot of file and network IO [input/output], meaning for every transaction being done, the ATM software is doing a great deal of reading and writing to disk or over a network," Park says. "AV is usually configured to scan for malware on both read and write operations, otherwise it would be very ineffective. Having AV scanning each file or network read would add seconds or even minutes to transactions - these machines read configurations files and write diagnostic logs all the time. Tuning AV would be a tremendous effort for something that, and with the right encoding could be fairly easily bypassed anyway. And some businesses have indicated that AV would cause the process of withdrawing cash, or doing other transactions, to become so slow that it would be unusable."

And while Park agrees physical security surrounding ATMs needs to improve, Trustwave recommends banking institutions and other ATM deployers use full disk encryption , so that when an ATM is rebooted or shut down, the operating system and the data on the disk is encrypted and unreadable. In most of the recent malware attacks, the ATM is first infected with malware from a USB or disk and then rebooted to launch the attack.

"This would prevent the criminals from being able to boot into an alternate OS to install malware or alter the operating system settings of the ATM," Park says.

To block attacks of this nature going forward, however, F-Secure's Sullivan says ATM manufacturers will have to work more closely with security researchers, and educate them in the intricacies of their ATM platform software. "ATM vendors would need to form a strong working partnership with their providers to make sure all environmental factors are known," he says. "Or else, the security vendor is working in the dark."

Some efforts to enhance information sharing among ATM manufacturers and other vendors are already under way. In August, ATM manufacturers Diebold Inc. and Wincor Nixdorf AG announced plans for the formation of a global industry group focused on thwarting ATM crime (see New Industry Group Tackles ATM Fraud).

About the Author

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the Executive Editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, amongst other publications. He lives in Scotland.

Operation Success!

Risk Management Framework: Learn from NIST

From heightened risks to increased regulations, senior leaders at all levels are pressured to
improve their organizations' risk management capabilities. But no one is showing them how -
until now.

Learn the fundamentals of developing a risk management program from the man who wrote the book
on the topic: Ron Ross, computer scientist for the National Institute of Standards and
Technology. In an exclusive presentation, Ross, lead author of NIST Special Publication 800-37
- the bible of risk assessment and management - will share his unique insights on how to:

Understand the current cyber threats to all public and private sector organizations;

Develop a multi-tiered risk management approach built upon governance, processes and
information systems;